While leveraging AI brings more opportunities to organizations, the emerging technology also comes with challenges – including potential cybersecurity issues.
Jim Palermo explains how IT leaders should tackle such challenges to get the most out of AI. Palermo is CIO of Red Hat, an open-source technology subsidiary of IBM based in Raleigh, North Carolina. He also gives his take on how IT leaders can translate technology spend to business value and boost their organization’s profitability.
Given the rapid adoption of AI technologies across industries, how are CIOs approaching the use of AI from a security standpoint to ensure the safety of their systems and data?
AI is a rapidly growing industry and with that being said, information security has a growing role in almost everything we do, including AI. AI technology is still very new across the technology industry and right now there is a lot of unknown.
Our information risk and security team continuously assesses information risk and ensures that systems and processes are in line with global industry requirements and regulations guided by the NIST Cybersecurity Framework. The team also makes sure systems and processes are resilient and secure, and are regularly tested—including any AI technology we use.
When thinking about integrating AI technologies, we use a domain-specific approach ensuring that we’re being very thoughtful about the integration of AI into our products and services. We’ll keep adding these capabilities into our portfolio leveraging more of this domain-specific view and even enabling customers to take their own data and build their own models within the enterprise focus.
If we’re able to understand where the data comes from, we can feel more confident that we’ll produce more meaningful results. If you have the wrong data or are too loose with the data, you can contaminate the models and disrupt the quality and security of the data.
You can see this approach with the work we’re doing with IBM around the Watson X and foundation models. We’re taking specific areas and training models with curated data so that we have a much better view of what goes in and therefore what comes out.
What are the challenges or potential risks you’ve encountered in deploying AI for security purposes, and how have you mitigated them?
Despite all of the benefits that AI provides, there are still some serious consequences if it’s not handled appropriately within an organization. Our customers are eager to try new AI, but it’s important for Red Hat IT to remind them of the potential risks.
One piece of that is creating clear guidelines and resources encouraging associates to only use AI technologies that have been properly vetted and approved by our information security team.
The ubiquity of AI, particularly large language models, has also brought with it new classes of vulnerabilities which are not well described by existing vulnerability taxonomies. Custodians of industry frameworks and AI vendors are now updating their taxonomies to cater for these new classes of vulnerabilities.
Red Hat’s current approach to vulnerabilities doesn’t use a strict categorization of the type of vulnerability, instead using Severity and CVSS v3, which should accommodate the AI-specific vulnerabilities.
However, consideration of these new classes of vulnerabilities has a broader set of challenges, spanning secure software development practices, quality engineering and vulnerability response, for AI vendors or those incorporating AI into their products, such as Red Hat with our release of Ansible Lightspeed.
How does IT contribute to the profitability of the company and how do you translate technology spend to business value to your customers?
Red Hat is in an incredibly competitive environment and it’s important for organizations, specifically IT, to identify what our unique value proposition is and how we intend to support the business to reach its full market opportunity.
By and large, the biggest thing we’re focused on is helping people achieve our vision of open hybrid cloud. That means doing for yourself what Red Hat enables its customer to do: operate and provide support within an open hybrid cloud reference architecture.
Within the past couple of years, Red Hat modernized its infrastructure so its engineers could innovate at the speed of today’s digital businesses. These changes provide the foundation that both IT and the business need to be able to meet Red Hat’s overall strategic goals, including delivering innovation at the edge. As Red Hat’s customers continue to innovate with the open hybrid cloud, Red Hat’s own technology teams are right there with them.
IT also enables our sales organization with enhanced technologies and top-tier support. This includes streamlining our CRM software and modernizing our data centers to support upgraded capabilities. Until now, we have been running the most customized instance that Salesforce supports, and IT has been a key player in creating the new tool that is cleaner, simpler and helps our sales teams make the right connections at the right times to close more business.
In addition, cybersecurity remains a top focus area. Increasing global security threats make security vigilance a continued priority for our teams and directly impacts revenue-generating opportunities for Red Hat.
For example, for the first time in Red Hat’s history, IT was awarded the Trusted Information Security Assessment Exchange certification, enabling us to engage in the highly competitive German automotive vertical. Certifications like this go beyond traditional security certifications by incorporating product-specific cybersecurity requirements, and allow us to clearly articulate the effectiveness and security of our products to Red Hat’s key partners.
But audits are not a one-and-done activity. We must work together to keep our customers’ data secure so we can close more deals.
How do you use it to influence future portfolio decision-making and forecasting for the company as a whole and what does the partnership between IT and the leadership team look like?
The ability to translate business value into technical spend is critical. The CIO has to be able to clearly articulate the outcomes needed to achieve company goals across the entire organization and enable the teams to plan capabilities to achieve them—while also helping business partners understand the cost and how to best leverage precious resources.
There is also the challenge of being asked to “run the business/keep the lights on” while also juggling the pressure to innovate and transform so the organization can keep or exceed the pace of business.
Prioritization against outcomes is key and it requires all the organizations’ leaders to be in agreement and hold their organizations accountable. This becomes a partnership where senior leaders are making decisions together, not just the CIO saying no.
If everyone is aligned on the outcomes, then it is up to each organization to ensure they are delivering the right things against it at the right time. This makes the more critical yes/no decisions within IT, not outside.
A key to our success at Red Hat is a portfolio management process with the proper tool set and processes to ensure we understand and can represent our full cost of services and a portfolio based on agile practices that enable us to adjust with shifting priorities and use to have a discussion to make mutual decisions with the business.
A solid architecture lens around all of this is critical to ensure a structure is in place to make sure things are lining up to support each other, we can prioritize investigations of new things and how we think about them from an investment standpoint and strategically think about how we deal with enterprise information to be aligned.
In this environment, IT teams need to evolve their culture and capabilities to be able to deliver applications and services faster, match innovation velocity to business velocity, and enable tech teams to deliver the latest innovations.
